Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / 8f60085ebdbffd054ebe0e76d57b90e6bad7c838^! / .
commit8f60085ebdbffd054ebe0e76d57b90e6bad7c838[log] [tgz]
authorJayanth Othayoth <ojayanth@in.ibm.com>Mon Oct 08 20:44:45 2018 -0500
committerJayanth Othayoth <ojayanth@in.ibm.com>Mon Oct 15 08:56:12 2018 -0500
tree0de8cf9761638636d3e816a9df7bca71980a4a57
parent9abfae88195b9d177fde85b0af06c1310e9509c5 [diff]
Ignore trust-chain related errors during certificate upload

This patch allow user to upload CA signed certificate file
with out CA certificate in the certificate store or in the chain.

Ignore trust chain related errors during openssl based verification.

Trust chain error info:
    X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
    X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    X509_V_ERR_CERT_UNTRUSTED
    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

Change-Id: I86d00947c0c581afcfa34fc238155f8c7a05971c
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>

diff --git a/certs_manager.cpp b/certs_manager.cpp
index a4f9116..3a530c4 100644
--- a/certs_manager.cpp
+++ b/certs_manager.cpp

@@ -34,13 +34,22 @@
 using InvalidCertificate =
     sdbusplus::xyz::openbmc_project::Certs::Install::Error::InvalidCertificate;
 using Reason = xyz::openbmc_project::Certs::Install::InvalidCertificate::REASON;
+// Trust chain related errors.`
+#define TRUST_CHAIN_ERR(errnum)                                                \
+    ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||                     \
+     (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||                       \
+     (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||               \
+     (errnum == X509_V_ERR_CERT_UNTRUSTED) ||                                  \
+     (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
 
 void Manager::install(const std::string path)
 {
     // Verify the certificate file
     auto rc = verifyCert(path);
-    // Allow certificate upload, for "certificate is not yet valid" case.
-    if (!((rc == X509_V_OK) || (rc == X509_V_ERR_CERT_NOT_YET_VALID)))
+    // Allow certificate upload, for "certificate is not yet valid" and
+    // trust chain related errors.
+    if (!((rc == X509_V_OK) || (rc == X509_V_ERR_CERT_NOT_YET_VALID) ||
+          TRUST_CHAIN_ERR(rc)))
     {
         if (rc == X509_V_ERR_CERT_HAS_EXPIRED)
         {